Last updated at Tue, 24 May 2022 20:05:26 GMT

The current cyber threat landscape is dominated by coronavirus-related attacks, exploits, and scams. But over the past few weeks, Rapid7 researchers have observed yet another new trend in black markets and cybercrime forums that has rapidly growing demand: stolen credentials for prominent YouTube accounts.

It should come as no surprise that global reliance on the Internet has skyrocketed during quarantine, with surges in internet usage and streaming services in particular. While YouTubers have always worked from home, the recent uptick in the number and sophistication of attacks against home users has resulted in more bots (malware-infected computers) in which the attackers can search for access to specific services. In fact, this is also offered as a service by cybercrime underground members.

YouTube accounts from compromised computers or from logs of credentials can be of high value. While smaller channels may not be as lucrative as larger ones, YouTubers rely on them as revenue streams and might be willing to pay money to attackers to get their content and access to their channels back.

As always with underground offerings, when there is demand the supply is soon to follow. In recent weeks, Rapid7 researchers have noticed an increasing number of stolen YouTube channel credentials, of varying subscriber counts, up for sale. Attackers must sell these accounts rather quickly before the owner has a chance to contact support and explain the situation. As a result, many of these auctions have time limits to speed up the process.

While there are many ways for the attackers to target YouTube channel owners, it seems the recent accounts were cropped from databases containing Google credentials as well as from malware-infected computers. In the past, attackers used sophisticated phishing campaigns in combination with reverse proxy toolkits like Modlishka to defeat Google’s two-step verification (one-time password). However, none of the current sellers mention 2FA, which may mean these accounts did not opt in for this additional security step.

While 2FA is not a silver bullet against cybercriminals, it is highly recommended that YouTube users opt in to this additional security step, have a properly patched computer, understand the risks and types of phishing attacks and use a recovery phone number or email.


Get the latest stories, expertise, and news about security today.